Malicious PDF — malware analysis report

Static analysis result for SHA-256 177c1eef2ea5ceb4…

MALICIOUS

PDF

50.6 KB Created: 2020-04-20 00:55:52 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 3cb0add185a17a54d489542640e3d061 SHA-1: ce28d7388593f8b249da21f74ea7d77bb471c136 SHA-256: 177c1eef2ea5ceb42f1d3416916c6bf521d1a8e8b12c27a778c319afcb124fca
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1190 Exploit Public-Facing Application

The PDF document contains numerous external links, characteristic of a link farm designed to inflate search engine rankings or distribute malicious content. The heuristic 'SE_ADVANCE_FEE_SCAM_LURE' strongly indicates the document's purpose is to deceive users into paying fees for non-existent prizes or parcels. The presence of many external URLs, including one pointing to a PDF file, suggests a multi-stage attack or a phishing campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://acimlovesong.com/uploads/1/3/0/7/130776350/130776350.html#intracranial+arteriovenous+malformation+embolization
    • http://sellerseducation.com/uploads/1/3/0/8/130815017/e473c5ebbb6f.pdf
    • http://aluma-form.com/uploads/1/3/0/7/130739169/mexituxun.pdf
    • http://bipolarconfessions.com/uploads/1/3/1/3/131379183/5730238.pdf
    • http://worldcivilizationonline.com/uploads/1/3/1/3/131380320/9cc98e062ddd4.pdf
    • http://solecobbler.com/uploads/1/3/0/8/130814645/4288645.pdf
    • http://fidaldermadermatologialda.com/uploads/1/3/0/4/130435807/602027.pdf
    • http://lightwavecommercial.com/uploads/1/3/1/3/131383352/60de7437ede.pdf
    • http://bcarolinayjoseantonio.com/uploads/1/3/0/6/130604546/lufekene.pdf
    • http://green-powergarage.com/uploads/1/3/0/6/130621435/7746135.pdf
    • http://jllcapitalmarkets55westmonroe.com/uploads/1/3/0/6/130639136/xoxawetavameri_legevasuvawa.pdf
    • http://schatzchistli.net/uploads/1/3/1/4/131438814/1c953808bcfeaed.pdf
    • http://gamerampage.net/uploads/1/3/1/3/131379217/fugesonolor.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009b48.bin
5fd28cd21030cc39f9acfbcdbbc65b61b55879a76a750b53a09a00aaa89fb5b8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9B48 8860 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.